From d13e5346f7e258eece0df153cc74d4aca7ee3d4b Mon Sep 17 00:00:00 2001 From: Edward Cheng Date: Mon, 17 Jun 2024 11:45:06 +1000 Subject: [PATCH] re-enable cilium network policies --- kubernetes/apps/homer/app/development.yaml | 7 +--- kubernetes/infrastructure/cilium/cilium.yaml | 40 +++++++++---------- .../infrastructure/cilium/kustomization.yaml | 8 ++-- .../egress-world-with-lan.yaml | 12 ------ .../cilium/networkpolicies/egress-world.yaml | 4 -- kubernetes/infrastructure/kustomization.yaml | 2 +- 6 files changed, 25 insertions(+), 48 deletions(-) delete mode 100644 kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml diff --git a/kubernetes/apps/homer/app/development.yaml b/kubernetes/apps/homer/app/development.yaml index fd78684..de254d6 100644 --- a/kubernetes/apps/homer/app/development.yaml +++ b/kubernetes/apps/homer/app/development.yaml @@ -13,13 +13,8 @@ spec: metadata: labels: app.kubernetes.io/name: homer - rpi5.cluster.policy/egress-kubeapi: "true" - rpi5.cluster.policy/egress-namespace: "true" - rpi5.cluster.policy/egress-world: "true" - rpi5.cluster.policy/ingress-namespace: "true" - rpi5.cluster.policy/ingress-nginx: "true" + rpi5.cluster.policy/egress-nodes: "true" rpi5.cluster.policy/ingress-nodes: "true" - rpi5.cluster.policy/ingress-world: "true" spec: securityContext: runAsUser: 1000 diff --git a/kubernetes/infrastructure/cilium/cilium.yaml b/kubernetes/infrastructure/cilium/cilium.yaml index c778dfc..515cc4d 100644 --- a/kubernetes/infrastructure/cilium/cilium.yaml +++ b/kubernetes/infrastructure/cilium/cilium.yaml @@ -14,24 +14,22 @@ # namespace: flux-system # name: flux-system #--- -#apiVersion: kustomize.toolkit.fluxcd.io/v1 -#kind: Kustomization -#metadata: -# name: cilium-networkpolicies -# namespace: cilium -#spec: -# suspend: true -# interval: 10m -# timeout: 1m30s -# retryInterval: 30s -# path: ./kubernetes/infrastructure/cilium/networkpolicies -# prune: true -# sourceRef: -# kind: GitRepository -# namespace: flux-system -# name: flux-system -# dependsOn: -# - name: cilium -# namespace: cilium -# - name: ingress-nginx -# namespace: ingress-nginx +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: cilium-networkpolicies + namespace: cilium +spec: + suspend: true + interval: 10m + timeout: 1m30s + retryInterval: 30s + path: ./kubernetes/infrastructure/cilium/networkpolicies + prune: true + sourceRef: + kind: GitRepository + namespace: flux-system + name: flux-system + dependsOn: + - name: ingress-nginx + namespace: ingress-nginx diff --git a/kubernetes/infrastructure/cilium/kustomization.yaml b/kubernetes/infrastructure/cilium/kustomization.yaml index bc7f9b2..ebeeb65 100644 --- a/kubernetes/infrastructure/cilium/kustomization.yaml +++ b/kubernetes/infrastructure/cilium/kustomization.yaml @@ -1,4 +1,4 @@ -#apiVersion: kustomize.config.k8s.io/v1beta1 -#kind: Kustomization -#resources: -# - cilium.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cilium.yaml diff --git a/kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml b/kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml deleted file mode 100644 index de7e3d2..0000000 --- a/kubernetes/infrastructure/cilium/networkpolicies/egress-world-with-lan.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: egress-world-with-lan - namespace: cilium -spec: - endpointSelector: - matchLabels: - rpi5.cluster.policy/egress-world-with-lan: "true" - egress: - - toCIDRSet: - - cidr: 0.0.0.0/0 diff --git a/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml b/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml index 665ea52..03fe0ff 100644 --- a/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml +++ b/kubernetes/infrastructure/cilium/networkpolicies/egress-world.yaml @@ -10,7 +10,3 @@ spec: egress: - toCIDRSet: - cidr: 0.0.0.0/0 - except: - - 192.168.1.0/24 - - 192.168.2.0/24 - - 100.64.0.0/10 diff --git a/kubernetes/infrastructure/kustomization.yaml b/kubernetes/infrastructure/kustomization.yaml index 40d9d9e..c564b54 100644 --- a/kubernetes/infrastructure/kustomization.yaml +++ b/kubernetes/infrastructure/kustomization.yaml @@ -9,6 +9,6 @@ resources: - ./namespaces/podinfo.yaml - ./namespaces/prometheus-operator.yaml - ./repositories/repositories.yaml -# - ./cilium/cilium.yaml + - ./cilium/cilium.yaml - ./ingress-nginx/ingress-nginx-config.yaml - ./ingress-nginx/ingress-nginx.yaml